All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to determine the Operating system language?

by in Getting Data In
‎12-07-2022 04:43 AM
‎12-07-2022 04:43 AM
Hi Team, Is there any way to determine the Operating system language before we ingest the logs in Splunk?  After ingesting the logs, will correlations work on servers with operating system language... See more...
Hi Team, Is there any way to determine the Operating system language before we ingest the logs in Splunk?  After ingesting the logs, will correlations work on servers with operating system languages other than English ?  Any alternate option to convert the language into English and get the output in the search head  
Labels

Is it possible to run a Script From Splunk on Remote Server?

by SplunkTrust in Splunk Enterprise
‎12-07-2022 03:27 AM
‎12-07-2022 03:27 AM
Hi Team, We have a requirement where we need to run script on remote server based on search condition from Splunk Example, from search results, found that for 10 servers, windows service is dow... See more...
Hi Team, We have a requirement where we need to run script on remote server based on search condition from Splunk Example, from search results, found that for 10 servers, windows service is down,  as a part of alert condition Splunk need to login into the remote server and start the service using script wanted to check can this be done?. any leads to related to recourses will be helpful     
Labels

Active Directory Returning duplicated events?

by in All Apps and Add-ons
‎12-07-2022 03:25 AM
‎12-07-2022 03:25 AM
So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the ... See more...
So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection. But this is specifically happening with searches relating to ldapfilter, below is the search we use, Note : the ldap_doamins.csv contains all the domains we have and what splunk so search. | inputlookup ldap_domains.csv WHERE enabled=1 | fields - enabled | ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID" | tojson | eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",") | eval _raw = replace(_raw,"\:\[\]",":\"\"") | foreach * [ | eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>")) ] | fields _raw | collect `activedirectory_index` output_format=hec
Labels

Search Job Investigation after search with no results shows "None"?

by in Splunk Search
‎12-07-2022 03:10 AM
‎12-07-2022 03:10 AM
Hello, the following search      index=index1 message_type=query NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127... See more...
Hello, the following search      index=index1 message_type=query NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127.0.0.1 |stats count by dns_request_client_ip     shows me 23300 matched events and shows me a table in statistics with those results.  but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it  shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me 5 million matches but doesn't show me anything in statistics.  also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my tstat is as follows:        |tstats count as count from datamodel=Network_Resolution where (message_type=query) by dns_request_client_ip     and then I try to combine it with the rest of the search as stated above via |search:        |search NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127.0.0.1 |stats count by dns_request_client_ip       there must be something logically wrong with my approach, right?    thanks a lot for any help. 

Why does ITSI Service Analyzer not show anything?

by in Splunk Search
‎12-07-2022 03:01 AM
‎12-07-2022 03:01 AM
I get troubleshoot following splunk.doc  but it s not working.  Anyone have any solutions.
Labels

How can I convert it to splunk time format?

by in Splunk Search
‎12-07-2022 02:35 AM
‎12-07-2022 02:35 AM
Hi, I have a field in the logs like below       2022-12-07T08:40:14.253180536       How can I convert it to splunk time format? I need to eventually select this field in the table... See more...
Hi, I have a field in the logs like below       2022-12-07T08:40:14.253180536       How can I convert it to splunk time format? I need to eventually select this field in the table, so the conversion should work within stats
Labels

How to disable IOWAIT?

by in Alerting
‎12-07-2022 02:17 AM
‎12-07-2022 02:17 AM
We've just upgraded to Splunk 9.0.2 and can see IOWAIT is alerting when logging onto the MASTER that the health is red even though CloudWatch is reporting everything is fine and no complaints from th... See more...
We've just upgraded to Splunk 9.0.2 and can see IOWAIT is alerting when logging onto the MASTER that the health is red even though CloudWatch is reporting everything is fine and no complaints from the users.  I've spoken to SLT and they are happy for this alert to be disabled. Any ideas?
Labels

What add-on can I use for integration of HPE iLO logs?

by in Getting Data In
‎12-07-2022 12:58 AM
‎12-07-2022 12:58 AM
Hi all, is there an existing add-on that I can use for getting HPE iLO data into splunk? I am planning on ingesting it with a universal forwarder from a central server used as a repository.  Th... See more...
Hi all, is there an existing add-on that I can use for getting HPE iLO data into splunk? I am planning on ingesting it with a universal forwarder from a central server used as a repository.  Thank you, O.  

AppDynamics License usage by application name

by in Splunk AppDynamics
‎12-07-2022 12:57 AM
‎12-07-2022 12:57 AM
Hi, Can we get the license usage summary by application name using API? I’ve tried the license usage with the license ID and account ID but getting the availability of the license as an output.  ... See more...
Hi, Can we get the license usage summary by application name using API? I’ve tried the license usage with the license ID and account ID but getting the availability of the license as an output.  GET /controller/licensing/v1/usage/license/{licenseId}  (http://<host>:<port>/controller/licensing/v1/usage/license/{licenseId} http://<host>:<port>/controller/licensing/v1/usage/account/{accountId}) These APIs are running well but not getting the output I’m looking for. I’m looking for the usage, like how much of the license is consumed in real-time.   I appreciate any help you can provide.
Labels

How to prevent automatic translation of input labels?

by in Dashboards & Visualizations
‎12-07-2022 12:25 AM
1 Karma
‎12-07-2022 12:25 AM
1 Karma
Hello, I noticed that Splunk automatically translates input labels based on the user's locale. Dashboards with English labels are translated to German when the user locale is de-DE. Here is an ex... See more...
Hello, I noticed that Splunk automatically translates input labels based on the user's locale. Dashboards with English labels are translated to German when the user locale is de-DE. Here is an example:     <form version="1.1"> <label>Test</label> <fieldset submitButton="false"> <input type="text" token="From"> <label>From</label> </input> <input type="text" token="To"> <label>To</label> </input> </fieldset> </form>     en-US: de-DE: Not only is the translation unwanted, the translation is also wrong. (In this context, "to" should be translated to "für" or "an".) Is it possible to disable this kind of behavior? I found two other posts. The solutions were 1) change each input field individually (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-prevent-translation-of-labels-and-input-fields-in/m-p/537380) and 2) change the user locale to English (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-avoid-translation-on-input-field-in-a-dashboard/td-p/477152). However, I would prefer a global setting to disable automatic translations.    
Labels

How can I make interpolation between given two points in Splunk, where time variable is not involved?

by in Splunk Search
‎12-06-2022 11:48 PM
‎12-06-2022 11:48 PM
Hi Team,  Considering the image shared below:-  x1 is my x-axis and y1 is my y-axis.  I would like to interpolate values for x1, var1 & var2 and not for y1 as shown below: - @interpol... See more...
Hi Team,  Considering the image shared below:-  x1 is my x-axis and y1 is my y-axis.  I would like to interpolate values for x1, var1 & var2 and not for y1 as shown below: - @interpolation, @ scatterplot.   Any leads are welcome here  
Labels

Help with SPL for report generation?

by in Splunk Search
‎12-06-2022 11:30 PM
‎12-06-2022 11:30 PM
Hello Splunkers!! I need the results as per the below format. I have tried some SPL but not achieved with the expected results. Please help me to achieve the same.   Order Status AU N... See more...
Hello Splunkers!! I need the results as per the below format. I have tried some SPL but not achieved with the expected results. Please help me to achieve the same.   Order Status AU NZ UK 02:00:00 created. 10 11 12   released 9 8 6   shipped 6 7 4               AU NZ UK 03:00:00 created. 10 11 12   released 9 8 6   shipped 6 7 4 What I have done so far In SPL : index="ABC "OrderStatus=created" OR "OrderStatus=Shipped" OR "OrderStatus=Released" OR "OrderStatus=Cancelled" | rex field=_raw "SellerOrganizationCode\=one\_(?<Market>[A-Z]{2})" | search NOT (Market="CA" OR Market="US" OR Market="KO" OR Market="SE" OR Market="NL" OR Market="IE" OR Market="NO" OR Market="LA") | replace CH WITH EU GB WITH UK | bin _time span=1h | eval Time=strftime(_time,"%m/%d-%y %H:%M:%S.%Q %p") | eval newtime=strptime(Time,"%m/%d-%y %H:%M:%S.%Q %p") | eval Time_Hour=strftime(newtime,"%m/%d/%Y %H:%M") | chart count by Time_Hour,Market usenull=f | addtotals col=true row=true label=Total labelfield=Time_Hour | rename Total as "Total orders for the hour"

How to create timechart for a stat count result for every single hour for date range selection?

by in Dashboards & Visualizations
‎12-06-2022 09:46 PM
‎12-06-2022 09:46 PM
Hi,  Splunkers,    I have dashboard ,which has a table ouput like  below: | table _time, column1, column2, column3 time    column1 column2    column3 xxx      a                  1234        ... See more...
Hi,  Splunkers,    I have dashboard ,which has a table ouput like  below: | table _time, column1, column2, column3 time    column1 column2    column3 xxx      a                  1234           1234 xxx      b                  3243           3434 xxx      c                  2343           3434 xxx      a                  1234           1234 xxx      b                  3243           3434 xxx      a                   2343          3434 when I add  |stats count by column1: | table column1, column2, column3 | stats count by column1 column1     count a                      3 b                     2 c                     1 I want to have a chart to display this stats count result in different time period, when I select different time/date range, like when I select 7 days, I want this stats count  columns1 result showing in every single hour for each day for 7 days date range I selected. I am a splunk beginner, not sure if I describe my requirement clearly... thx in advance. Kevin  
Labels

Why do the indexing time of all UF logs gets delayed, including the internal logs (This delay occurs every 30mins)?

by in Getting Data In
‎12-06-2022 09:30 PM
‎12-06-2022 09:30 PM
I have a issue: On one of my UF,  The indexing time of all the logs (including the internal logs) get delayed for 2-3mins, and This delay occurs every 30mins. other UFs looks ok. we have checked t... See more...
I have a issue: On one of my UF,  The indexing time of all the logs (including the internal logs) get delayed for 2-3mins, and This delay occurs every 30mins. other UFs looks ok. we have checked the queue on this UF is not blocked. we have changed [thruput]maxKBps = 0   But the indexing time issue is still there. Can anyone please help with this issue ? Do we need to check more configs or logs?   When indexing time get delayed I can see logs below:  [logs]: INFO Watchdog - No response received from IMonitoredThread=0xxxxxxxxx within elapsed=8000 ms. Looks like thread_name="TcpOutEloop" thread_id=1xxxx is busy !? Starting to trace with timeout=8000 ms interval.   INFO Watchdog - Stopping trace. Response for IMonitoredThread ptr=0xxxxxxxxx - thread_name="TcpOutEloop" thread_id=1xxxx - finally received after 3xxxx ms (estimation only).   INFO HealthChangeReporter - feature="Ingestion Latency" indicator="ingestion_latency_lag_sec" previous_color=green color=yellow due_to_threshold_value=15 measured_value=30 reason="Events from tracker.log are delayed for 30 seconds, which is more than the yellow threshold (15 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked."   Possible is the UF being used to monitor too many files at the same time?  so , make  thread name='TcpOutEloop' busy ?  
Labels

How to frame this Pie chart- Dashboard panel?

by in Splunk Enterprise
‎12-06-2022 02:09 PM
‎12-06-2022 02:09 PM
below query: index=app_mnt_apl  source=xxxx   note: here the CustomerApp Details:  Countywise or CustomerApp Details:  Worldwise or CustomerApp Details:  Areawise are not in interested fields. ... See more...
below query: index=app_mnt_apl  source=xxxx   note: here the CustomerApp Details:  Countywise or CustomerApp Details:  Worldwise or CustomerApp Details:  Areawise are not in interested fields. Sample logs: 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Worldwise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Areawise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details:  Countywise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Worldwise 2022-11-12  15:12:27,678 [hanper risk-100] h.t.i.l.g. applicationreportanalysis [565677nmnm7676] - [THY-j767676] - [thy-application_THY] - CustomerApp Details: Areawise I want to represent  CustomerApp Details: Areawise, Worldwise and countrywise   in a form of a pie  chart. how to frame the query to get this???
Labels

How to search spath field and value pairs?

by in Splunk Search
‎12-06-2022 01:41 PM
‎12-06-2022 01:41 PM
I have a log file that is coming into splunk in json format.  There appear to be two fields of interest, "key" and "value."   key: originid origintype template starttime endtime justification... See more...
I have a log file that is coming into splunk in json format.  There appear to be two fields of interest, "key" and "value."   key: originid origintype template starttime endtime justification value - (has the values for each of the items in "key."): 12345 (is not always the same id) BuiltInRole (is not always the same) 85750845e54 (is not always the same) 2022-12-03T14:00:00:00.5661018Z 2022-12-04T14:00:00:00.5661018Z some reason to satisfy the justification I want have the following: originid = 12345 origintype = BuiltInRole template = 85750845e54 starttime = 2022-12-03T14:00:00:00.5661018Z endtime = 2022-12-04T14:00:00:00.5661018Z justification = some reason to satisfy the justification Thanks for the help and guidance.                
Labels

How to get only latest try of a job?

by in Splunk Search
‎12-06-2022 12:47 PM
‎12-06-2022 12:47 PM
I need to show only the results of the job. Job try multiple times in case of failure. So if the job passed on 3rd attempt then I do not want to include it in the failed job counter. Sample logs ... See more...
I need to show only the results of the job. Job try multiple times in case of failure. So if the job passed on 3rd attempt then I do not want to include it in the failed job counter. Sample logs {"id":"1", "status": "Failed","retry":"1"} {"id":"1", "status": "Failed","retry":"2"} {"id":"1", "status": "Failed","retry":"4"} {"id":"1", "status": "Failed","retry":"5"} {"id":"2", "status": "Passed","retry":"1"} {"id":"3", "status": "Failed","retry":"1"} {"id":"3", "status": "Passed","retry":"1"} In the above example counter should show value 0f 1 since only job 1 is failed in last try
Labels

How can I change Threat intelligence setting the default time that the removal process runs for threat sources?

by in Splunk Enterprise Security
‎12-06-2022 11:46 AM
‎12-06-2022 11:46 AM
In the documentation at https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Changethreatintel under  Review the logic for retention the document states, "The threat retention input runs every 24 ... See more...
In the documentation at https://docs.splunk.com/Documentation/ES/7.0.2/Admin/Changethreatintel under  Review the logic for retention the document states, "The threat retention input runs every 24 hours by default" If it runs every 24 hours by default, how do you change that behavior? What process/search/whatever runs the threat retention input?  Where is it defined?  Can it be run manually? Thanks, --Keith
Labels

Variable range values with a token?

by in Dashboards & Visualizations
‎12-06-2022 11:45 AM
‎12-06-2022 11:45 AM
Hi all, I have a dashboard that has a single value panel. I am trying to make a dynamic panel that will change with the data. I need to display the result number in the panel, but the coloring nee... See more...
Hi all, I have a dashboard that has a single value panel. I am trying to make a dynamic panel that will change with the data. I need to display the result number in the panel, but the coloring needs to be dependent on another number. Example data: Total Sandwiches Made   Name Cheese Ham PB Turkey sum marker topTh Total   1110 270 110 710 Total 2 110 2200 Bill 400 100 20 600   2 110 1120 Pam 700 120 80 100   2 110 1000 Finn 10 50 10 10   1 110 80 And the example SPL: index=food sourcetype=sandwiches | stats sum(Cheese) as Cheese sum(Ham) as Ham sum(PB) as PB sum(Turkey) as Turkey by Name | addtotals row=t col=t labelfield="sum" | eval topTh=case(sum="Total", (Total*.05), 1=1, null()) | sort topTh | filldown topTh | eval marker=if(Total>=topTh, 2,1) Basically, if the marker is 1, I'd like the color of the number to be one color and a different one for 2 while still displaying the 'Total' field. I have the options as this: <option name="colorBy">value</option> <option name="drilldown">all</option> <option name="field">Total</option> <option name="rangeColors">["0x53A051","0xeb5654"]</option> <option name="rangeValues">[$lowerThresh$,$upperThresh$]</option> <option name="refresh.display">none</option> <option name="useColors">1</option> and additional logic above it: <done> <condition match="'result.marker'==2"> <set token="lowerThresh">1</set> <set token="upperThresh">2</set> </condition> </done> Any help would be greatly appreciated.
Labels

Defining different intervals for the Trend & Sparkline indicators on a single value visualization.

by in Dashboards & Visualizations
‎12-06-2022 11:09 AM
‎12-06-2022 11:09 AM
I have a simple tstats based query that looks for how many hosts have checked in over a period of time and then displays it as a single value visualization on a dashboard. The query and visualization... See more...
I have a simple tstats based query that looks for how many hosts have checked in over a period of time and then displays it as a single value visualization on a dashboard. The query and visualization work perfectly, but I was trying to figure out if I can get the trend indicator and the trendline to use different intervals. | tstats dc(host) WHERE index="$site$" earliest=-14d@d latest=@d by _time span=7d Currently, the visualization will show: Value: The # of hosts that reported in over the past 7 days. Trend Indicator: The difference between the last 7 days and the previous 7-day period. Trendline: A simple line with two points showing that difference. Ideally, I'd like to be able to define a 1d interval for the trendline to communicate to the user when the increases/decreases occurred. 
Labels